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SUMMARY/ABSTRACT 

A study was performed to assess the effect of booster configuration on the ascent abort process. A generic abort 
event sequence was created and booster related risk drivers were identified. Three model boosters were considered 
in light of the risk drivers: a solid rocket motor configuration, a side mount combination solid and liquid 
configuration, and a stacked liquid configuration. The primary risk drivers included explosive fireball, 
overpressure, and fragment effects and booster-crew module re-contact. Risk drivers that were not specifically 
booster dependent were not addressed. The solid rocket configuration had the most benign influence on an abort 
while the side mount architecture provided the most challenging abort environment. 
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INTRODUCTION 

NASA has recently focused on new space transportation options to replace the aging Space Shuttle fleet while 
also regaining the capability for humans to explore the moon. With current plans calling for the retirement of the 
Space Shuttle by 2010 [1], the new system must be able to service the International Space Station (ISS) near this 
time to ensure continuous U.S. access. In addition, plans call for the first human return to the lunar surface by 2018. 
These goals, in conjunction with the current budget allocations, essentially preclude a completely new system, 
requiring the goals to be met largely within the existing technology base. 

Future space transportation architectures must meet the required performance goals in a short time but must 
also do so with a heightened focus on crew safety. The STS- 107 tragedy has re-affirmed the need to design a 
concept from the outset with crew safety in mind. 

Current NASA human rating requirements [2] require a crew escape capability for any new space transportation 
systems intended to carry people. Beyond the requirements, a state-of-the-art booster will be unlikely to deliver 
acceptable safety levels based on current launcher reliability records [3]. The Space Shuttle experience has shown 
that depending on large reliability increases is dangerous. Consider that early ascent flight safety estimates were on 
the order of one loss for every 100,000 flights while reality consisted of two losses per 100 flights [4]. The 
difference stems from many sources, but unreliability is unavoidable in a new, high-energy system such as a 
launcher. The experience base required to reach and demonstrate sufficient reliability would take years at best and 
would never materialize at worst. Therefore, crew safety goals can only be practically realized via abort capability. 
Figure 1 shows the loss of crew probability versus launcher reliability for different abort effectiveness rates. The 
figure clearly illustrates that a crew escape system is required to meet improved safety goals. 



Figure 1: Crew risk versus abort effectiveness and booster reliability. 

The booster architecture plays a paramount role in the overall safety of a launch system. The booster determines 
the likelihood of an abort and establishes the failure environment from which the crew must escape. This paper will 
compare several general classes of boosters from the point of view of the failure environment and assess the impact 
of booster type on abort success. The likelihood of an abort given a booster requires specific design knowledge and 
is beyond the scope of the current discussion. However, it must be kept in mind that a concept that which provides 
a feasible escape scenario may not be the safest if its reliability is low enough to force a high number of aborts. 

ABORT SEQUENCE 

The abort sequence, after a booster failure has occurred, is generally represented as some combination of the 
events in Figure 2. Each of the top events in the abort sequence was decomposed into the appropriate risk drivers 
using fault trees and phenomenological models. This analysis focused on the abort risks and assumed that a failure 
requiring an abort had already occurred. As a result, several physical phenomena surfaced as the primary risk 
drivers related to the interaction between the crew module (CM) and booster during an abort [15]. A description of 
the risks is included in the following discussion of the top events. 
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Figure 2: General abort event sequence. 


Energetic hazard: This initiating event consists of a failure with the launch system that requires an abort for the 
crew to survive. The specific failures, and their corresponding probabilities, are not discussed in this paper. For all 
analyses herein, the initiating failure is assumed to have occurred, and no distinction is made between failure types. 

Detect failure and activate escape system: Failure detection determines the lead time available to execute the 
abort sequence. In the best case, the health monitoring system detects a failure precursor with enough time to 
activate the escape system and separate the crew well before the failure manifests. In the worst case, the failure is 
assumed to be detected when the result of the failure is realized. 

Escape system activation physically initiates the process of moving the CM away from the booster and the 
related failure environment. The activation of the launch escape system (EES) itself involves some level of risk, but 
a well-designed escape system would have high enough reliability that the activation of the system would not be a 
significant risk driver. Regardless, the escape system is taken as the same for all of the configurations in this study, 
so any added risk would be constant and hence not a discriminator. 

The detect failure and activate escape system event is not treated as a Top Event in this case. Rather, the ability 
to detect a failure influences the downstream Top Events which are represented through physical models. For 
example, the ability to detect an anomaly that will lead to a failure could generate the one second warning time 
assumed in the Survive explosion event. 

Separate CM: The CM must be safely separated from the failure that necessitated the abort. This primarily 
involves a physical disconnection of the CM from the stack without overloading the structure or the crew through 
loads transmitted by the stack, escape system loads, re-contact of the CM with the booster. The probability of re- 
contact between the CM and stack depends on the design and the flight conditions at which the abort is attempted. 
Design impacts primarily include the launch escape system (LES) thrust, CM geometry (mass and drag), and 
booster thrust relief options. Flight conditions, Mach number and dynamic pressure, drive the aerodynamic forces 
that the LES must overcome to avoid re-contact. The risk for well-designed architectures is maximum at the 
transonic and high dynamic pressure regimes and falls off quickly before and after. For nominal operation the risk, 
even in these regimes, is small, though the Little Joe II test program prior to Apollo flights experienced a re-contact 
during an abort. However uncertainty in drag (poor prediction) or LES thrust (manufacture or temperature effects) 
coupled with a high dynamic pressure abort could result in catastrophic failures. 

Survive explosion: Once separation between the CM and stack is achieved, the LES must provide enough 
distance to avoid any fireball, overpressures, or fragments generated by detonation of the booster fuel. The distance 
required is a function of the amount and type of fuel released, the amount of mixing of released fuel with oxidizer or 
atmospheric oxygen, availability of detonation source, and flight conditions. The first factors determine the strength 
of any detonation waves, while the flight conditions bound the ability of a blast wave to propagate toward the CM. 
Safe removal from the stack strongly depends on the type of initiating failures (severity, detection potential, warning 
time) and the relative position of the CM and booster. 

Stabilize crew module in safe orientation: Once the CM has safely separated from the booster, it must be 
stabilized in the proper orientation to survive any aerodynamic or thermal loads as well as to deploy the recovery 
gear. This is primarily a CM design issue, but certain booster failures could potentially put the CM into motion that 
would be harder to recover from than others. 

Land and recover: Required drogues and main chutes must successfully deploy and function. This would also 
include any additional configuration changes required for the recovery gear to function such as heat shield jettison 
prior to airbag deployment, etc. Landing itself requires reaching a suitable landing site and slowing to a safe 
touchdown speed. Recovery consists of surface resources reaching the crew, extricating them from the CM, and 
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returning to the appropriate location. Again, this phase is a function of the CM design. Booster differences could 
show up through different recovery rates based on when/where a booster is most likely to fail. This comes from 
differences in ascent trajectory as well as reliability variances over the mission time. For example, aborts could 
results in landing in cold seas far from surface recovery resources. Even if the physical landing site is benign, a lack 
of a priori knowledge of landing location will introduce risk over nominal landing scenarios. Since the current 
discussion does not focus on performance or reliability differences between the boosters, these abort differences are 
considered non-discriminators. 

BOOSTER INFLUENCE ON ABORT RISK 

Three model boosters were selected for the study, a solid rocket motor (SRM) concept, a side mount (SM) 
concept, and a triple core expendable launch vehicle (ELV). All of the concepts were generalized to expose the 
types of risks the boosters present during an ascent abort. The CM and LES are assumed constant across all of the 
designs. The results are not intended to quantify the safety of specific vehicles. 

The SRM vehicle consists of a solid rocket booster first stage combined with a LOX-H2 upper stage. The stack 
stands approximately 250 feet tall and carries approximately 250, 000 lbs. of LOX-H2 propellant in the upper stage. 
The SRM utilizes an HD 1.3 solid propellant which is capable of burning but will not detonate. Examples of 
specific vehicles of this type can be found in the NASA ESAS Final Report or in Reference 5. 

The SM concept is modeled after a human rated version of the Shuttle-C concept. The cargo container is 
replaced by a stack topped with a CM and LES. Two solid rocket boosters are attached to the central external tank 
(ET), which stands approximately 175 feet tall and contains 1.5 million lbs. of LOX-H2. The assumed CM base 
position is approximately 50 ft. lower than the tip of the ET. As with the SRM design, the solid propellant is not 
considered a detonable material. An example of a specific side mount concept can be found in Reference 5. 

The triple core liquid fueled booster is representative of emerging heavy lift launchers. The model vehicle 
consists of three identical cores carrying a total of 1.7 million pounds of LOX-H2. Each core stands 100 ft. tall and 
the central core is equipped with an upper stage. The upper stage adds approximately 50 ft in height. 

During flight, the risk to the crew due to a fireball would be very low due to low exposure times [7]. A near- 
pad incident, however, would likely result in a very large fire that could introduce risk. Concerns arise from fire 
damaging the chutes more than the CM itself. Generally, the threat to the crew is small as long as the CM clears the 
fire before descent and landing. Therefore, the risk due to fireball is localized to near-pad incidents and scales with 
the amount of fuel. Figure 3 shows the relative risk between configurations. The ELV, because it contains the 
largest amount of liquid fuel presents the largest risk. Conversely, the design with the least liquid fuel, the SRM, 
imposes the smallest fireball risk. Again, the current analysis does not presume the relative likelihood of a fireball, 
but relates the relative risk of the three booster options should a fireball occur. This analysis scope is maintained 
throughout the paper because the former requires a detailed booster reliability study which is beyond the scope of 
the current analysis. 



□ SRM 
■ ELV 

□ SM 


Figure 3: Relative fireball risk. 

A model was created to predict CM damage due to fragments ejected by a booster explosion based on military 
weapon models and models of ejecta from exploding satellites [8,9]. The model assumes a contained explosion and 
determines the fragment size and initial velocity based on the explosion strength and the mass of the structure. An 
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isotropic initial fragment distribution is assumed and the fragment trajectories are simply integrated through the 
flow field at the time of the booster failure. The assumptions of the model are very pessimistic as the likelihood of a 
contained explosion consuming a significant portion of the on-board fuel is very low. In addition, large spacecraft 
structures are not likely to isotropically break into large fragment fields as assumed by the model. To offset the 
assumptions somewhat, a 2% fuel to TNT equivalence is assumed as a worst case (compared with a 10% 
equivalence for an unconfmed blast). 

The damage tolerance of the CM is based on micrometeoroid and orbital debris (MMOD) studies [10]. 
Reference 10 presents a relationship between particle mass, velocity, and penetration depth for given structures. 
The current analysis assumes a failure probability as a function of penetration depth past the heat shield. For most 
abort scenarios, until the last segment of ascent, damage to the heat shield would not constitute a loss of crew as the 
thermal protection requirements are much less than for an atmospheric entry. 

Figure 4 shows the relative fragment risk for all three configurations. In spite of the pessimistic model, the 
relative ranking makes sense. The level of risk is proportional to the amount of fuel and the proximity of the crew 
to the explosion center, in this case assumed to be at the inter-tank for all configurations. The SM configuration 
presents the largest risk for these reasons. By the same token, the relatively small amount of liquid fuel carried by 
the SRM vehicle gives it a slight advantage over the ELY. 



Figure 4: Relative risk due to fragments resulting from a contained explosion. 

Current work is ongoing to improve the initial fragment mass and velocity distribution based on more specific 
breakup analyses. 

Much work has focused on the effect of detonation overpressures on crew survival (see Reference 11 for a 
summary). A TNT equivalence model was used for this study based on the relationships suggested in Reference 11. 
Specifics of the blast model are discussed in Reference 12. The model accounts for variation in fuel mass and 
includes the effects of the flight conditions on the overpressure waves [13]. For the current analysis, the escape 
system and CM are assumed constant across all configurations. The primary differentiators then reduce to 
equivalent TNT of the remaining propellant, distance between CM and blast location, and the available warning 
time prior to an explosion. It is acknowledged that the TNT equivalence model is conservative, due to an over 
prediction of the pressure waves in the near field, but it does provide a relevant bounding case. 

The model was run for each class of booster using a 10% fuel to TNT conversion factor. This TNT equivalence 
represents a worst case [11] and is included as a bounding scenario. Only the liquid fuel contributed to the TNT 
equivalence for each configuration. Results were generated to show the required warning time to reach a 6 psi 
overpressure with a 10 g escape system for each of the booster classes as a function of mission elapsed time (MET), 
Figure 5. The required warning time generally decreases with MET due to a reduction in on-board fuel and an 
increase in Mach number and altitude. All configurations reach a flight point where, within the modeling 
assumptions, any blast wave produced can not propagate upstream fast enough to reach the CM with critical 
strength. The SM configuration requires the longest warning time primarily because of the smallest distance 
between the crew and the inter-tank and the relatively large fuel supply. The ELV falls between the other two 
designs for most of the flight envelope shown, but does cross the side mount curve at a MET of approximately 130 
seconds. This occurs because the side mount vehicle quickly moves through the Mach range where the blast no 
longer poses a threat, while the ELV trajectory assumed here accelerates slightly slower though this flight regime. 
The SRM design requires the least warning time because of the lowest TNT equivalence and the warning time 
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required falls off the fastest because this vehicle accelerates the fastest, moving through the critical region much 
earlier than the other configurations. 
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Figure 5: Required warning time to survive a 10% TNT equivalent explosion. 

For an assumed warning time of 1.0 second, the overpressure risk is integrated over each ascent mission. The 
relative risk contributions are shown below (Figure 6). The relative risk scales in the same way as the required 
warning time. 


□ SRM 

□ ELV 



Figure 6: Relative blast overpressure risk. 

Re-contact between the booster and CM is a concern at high-drag flight conditions when the LES delivers 
lower than expected thrust, for example see Reference 16. For the 10 g escape motor, the re-contact risk would be 
virtually zero unless the LES malfunctioned. However, the results are included because the risk should be 
considered if the LES performance is reduced during the design process. Figure 7 shows the relative re-contact risk 
for the three configurations. The ELV has essentially a zero probability of re-contact because the main propulsion 
system is shut down as part of the abort process. The side mount vehicle can also shut the liquid engines down but 
not the solid boosters. Therefore, the SM has a higher re-contact probability prior to staging. The SRM cannot shut 
down, but this condition is exacerbated by the high thrust to weight ratio which results in the highest re-contact 
probability. After staging, the SRM concept can shut down the liquid fueled propulsion, but this provides little 
benefit as the drag on the CM has significantly reduced by this time and the re-contact probability is nearly zero. 

The SM vehicle also runs the risk of a lateral re-contact due to the stacking geometry. Initial analysis has 
shown that likely pitch rates would not cause the ET to interfere with the CM abort trajectory. However, a fully 
coupled aerodynamics and trajectory simulation is needed to give confidence to this conclusion. In addition, 
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aerodynamic breakup of this side mount configuration would lead to a high probability of debris contacting the CM, 
something much less likely to occur with the stacked configurations. This risk is in addition to the fragment results 
presented earlier and the longitudinal re-contact shown in Figure 7. This risk is likely higher that either the 
fragment or re-contact risks discussed. 


□ SRM 

□ ELV 



*Does not include risk due to debris from aerodynamic breakup. 

Figure 7: Relative longitudinal re-contact risk, not including debris damage from aerodynamic 

breakup. 

Some of the risk drivers are primarily associated with the design of the CM and are only weakly connected to 
the booster. For example, stabilizing the CM depends strongly on the stability level of the CM which is driven 
primarily by the geometry and center of gravity location of the CM. While the initial conditions from which the CM 
must stabilize depend on the booster failure, the difference between the boosters would be small. This stems from 
the general loss of control failures associated with the boosters. The vehicles are all large, heavy configurations that 
would not rapidly produce large pitch (or yaw) rates. All of the configurations are assumed equipped with sensors 
that would initiate an abort at pre-specified rate limits. The external forces and moments that would be required to 
generate large angular accelerations would be much more likely to break the vehicles than actually pitch the launch 
systems. Again, some boosters may be more likely to lose control than others, but that is an issue of needing to 
abort more frequently as opposed to surviving an abort once initiated. For this reason, the risk associated with 
stabilizing the CM is, to first order, no different between the concepts. 

Similarly, there is little difference between configurations when it comes to reaching a safe landing site, safely 
landing, and recovering the crew. These events are a strong function of the CM and only depend on the booster 
ascent trajectory. A booster with a high thrust to weight ratio could potentially have a steeper ascent trajectory and 
reach orbit earlier than a lower thrust option. This would have a slight effect on recovery efforts because the abort 
landing footprint would be smaller for a steeper trajectory. For launches from the eastern US, a steep trajectory 
could also reduce the chance of aborting to the North Atlantic. These issues are discussed in Reference 14. Though 
there are theoretical differences in the recovery risk, the practical difference would be small for these booster 
options. 

CONCLUSION 

An ascent abort system is required to meet safety goals for all current human spaceflight architectures. The 
abort sequence is generally the same for all space transportation systems and includes: detect failure and activate 
escape system, separate crew from booster, survive any explosion effects, stabilize the crew module, safely land, 
and recover crew. The primary booster dependent risk drivers for the abort sequence include failures due to fireball, 
blast fragments, blast overpressure, and booster-crew module re-contact. Other risk drivers exist but are only 
weakly coupled with the booster architecture. Three booster classes were considered in the context of the primary 
risk drivers: a solid rocket motor (SRM) booster, a stacked liquid booster, and a side-mount shuttle-derived system. 
The side-mount configuration provided the failure environments that made abort the most difficult, and the SRM 
based booster had the most benign abort environments. It is noted that the abort environment contribution presented 
here is only part of the solution as the booster reliability is also a critical consideration. 
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